[英]Showing plain PHP code in a HTML page
And I'm talking (especially) forums here - [PHP]code here[/PHP] - style . 我在这里(特别是)论坛 - [PHP]代码[/ PHP] - 风格 。 Some forums escape double quotes or other "dangerous characters" and others don't.
一些论坛逃脱双引号或其他“危险人物”而其他论坛则没有。
What is the best method? 什么是最好的方法? What are you guys using?
你们有什么用? Can it be done without the fear of code injection?
可以在不担心代码注入的情况下完成吗?
Edit: Who said anything about reinventing the wheel? 编辑:谁说重新发明轮子?
When PHP echo
or print
text, it never executes it. 当PHP
echo
或print
文本时,它永远不会执行它。 That only happens with eval
. 这只发生在
eval
。 This means that if you did this: 这意味着如果你这样做:
echo '<?php ... ?>';
it would carry through to the page output and not be parsed or executed. 它会传递给页面输出而不会被解析或执行。
This means that all you need to do is escape the usual characters ( <
, >
, &
, etc.) and you should generally be safe. 这意味着你需要做的只是逃避通常的字符(
<
, >
, &
等),你通常应该是安全的。
Don't reinvent the wheel. 不要重新发明轮子。 I see BBCode in your question.
我在你的问题中看到了BBCode。 Grab a markdown library and use it instead.
拿一个降价库并改为使用它。 SO uses this: http://daringfireball.net/projects/markdown/
SO使用这个: http : //daringfireball.net/projects/markdown/
<
>
brackets usually being escaped, for obvious reason. <
>
括号通常被转义,原因很明显。 If you see escaped quotes on some page, that's most likely because their script escaped them twice (for example magic_quotes did it once, then mysql_query() again). 如果您在某些页面上看到转义引号,那很可能是因为它们的脚本将它们转义两次(例如,magic_quotes只执行一次,然后再次使用mysql_query())。 When data sanitisation is done properly, you should not see escape characters in output.
正确完成数据清理后,您不应在输出中看到转义字符。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.